Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a site running in Integrated mode on IIS7 and have changed the web.config so the static files are authenticated. What I would like to fix is when a request for a not existing file comes in, it still goes through the .NET authentication pipeline, I see by debugging Begin_Request() method that the request is made for /login.aspx?returnurl=filenotfound.js (paraphrasing here).
Has anyone got any tips on how to catch and return the 404 before the authentication kicks in?
Thanks
My main bit of advice would be; don’t.
If you require authentication on certain resources, then you’ve presumably got something to hide. When you’ve got something to hide, you should pay attention to what you are revealing, and when you are giving a different response for a resource that has a file for it and one that doesn’t you are revealing something.
Is this a major security hole? I can’t say, but it could be enough to reveal something to an attacker. It’s certainly and enlargement of the attack surface, so you’ve got two options.
The latter is easier and less error prone.
That said, there’s a few ways to do authentication in ASP.NET with integrated mode. Are you doing it in modules that handle the
AuthorizeRequestandAuthenticateRequestevents? You could have them check whether such a case is occurring (check whether the URI maps to an existing file or not) and not send a 401 if that’s the case.